From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Andrea Arcangeli <aarcange@redhat.com>,
Mike Rapoport <rppt@linux.ibm.com>,
Hugh Dickins <hughd@google.com>, Jann Horn <jannh@google.com>,
"Dr. David Alan Gilbert" <dgilbert@redhat.com>,
Mike Kravetz <mike.kravetz@oracle.com>,
Peter Xu <peterx@redhat.com>,
Andrew Morton <akpm@linux-foundation.org>,
Linus Torvalds <torvalds@linux-foundation.org>
Subject: [PATCH 4.14 24/55] userfaultfd: shmem: add i_size checks
Date: Thu, 6 Dec 2018 15:38:58 +0100 [thread overview]
Message-ID: <20181206143003.056725404@linuxfoundation.org> (raw)
In-Reply-To: <20181206143001.749982936@linuxfoundation.org>
4.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andrea Arcangeli <aarcange@redhat.com>
commit e2a50c1f64145a04959df2442305d57307e5395a upstream.
With MAP_SHARED: recheck the i_size after taking the PT lock, to
serialize against truncate with the PT lock. Delete the page from the
pagecache if the i_size_read check fails.
With MAP_PRIVATE: check the i_size after the PT lock before mapping
anonymous memory or zeropages into the MAP_PRIVATE shmem mapping.
A mostly irrelevant cleanup: like we do the delete_from_page_cache()
pagecache removal after dropping the PT lock, the PT lock is a spinlock
so drop it before the sleepable page lock.
Link: http://lkml.kernel.org/r/20181126173452.26955-5-aarcange@redhat.com
Fixes: 4c27fe4c4c84 ("userfaultfd: shmem: add shmem_mcopy_atomic_pte for userfaultfd support")
Signed-off-by: Andrea Arcangeli <aarcange@redhat.com>
Reviewed-by: Mike Rapoport <rppt@linux.ibm.com>
Reviewed-by: Hugh Dickins <hughd@google.com>
Reported-by: Jann Horn <jannh@google.com>
Cc: <stable@vger.kernel.org>
Cc: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
Cc: Mike Kravetz <mike.kravetz@oracle.com>
Cc: Peter Xu <peterx@redhat.com>
Cc: stable@vger.kernel.org
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/shmem.c | 18 ++++++++++++++++--
mm/userfaultfd.c | 26 ++++++++++++++++++++++++--
2 files changed, 40 insertions(+), 4 deletions(-)
--- a/mm/shmem.c
+++ b/mm/shmem.c
@@ -2244,6 +2244,7 @@ static int shmem_mfill_atomic_pte(struct
struct page *page;
pte_t _dst_pte, *dst_pte;
int ret;
+ pgoff_t offset, max_off;
ret = -ENOMEM;
if (!shmem_inode_acct_block(inode, 1))
@@ -2281,6 +2282,12 @@ static int shmem_mfill_atomic_pte(struct
__SetPageSwapBacked(page);
__SetPageUptodate(page);
+ ret = -EFAULT;
+ offset = linear_page_index(dst_vma, dst_addr);
+ max_off = DIV_ROUND_UP(i_size_read(inode), PAGE_SIZE);
+ if (unlikely(offset >= max_off))
+ goto out_release;
+
ret = mem_cgroup_try_charge(page, dst_mm, gfp, &memcg, false);
if (ret)
goto out_release;
@@ -2299,8 +2306,14 @@ static int shmem_mfill_atomic_pte(struct
if (dst_vma->vm_flags & VM_WRITE)
_dst_pte = pte_mkwrite(pte_mkdirty(_dst_pte));
- ret = -EEXIST;
dst_pte = pte_offset_map_lock(dst_mm, dst_pmd, dst_addr, &ptl);
+
+ ret = -EFAULT;
+ max_off = DIV_ROUND_UP(i_size_read(inode), PAGE_SIZE);
+ if (unlikely(offset >= max_off))
+ goto out_release_uncharge_unlock;
+
+ ret = -EEXIST;
if (!pte_none(*dst_pte))
goto out_release_uncharge_unlock;
@@ -2318,13 +2331,14 @@ static int shmem_mfill_atomic_pte(struct
/* No need to invalidate - it was non-present before */
update_mmu_cache(dst_vma, dst_addr, dst_pte);
- unlock_page(page);
pte_unmap_unlock(dst_pte, ptl);
+ unlock_page(page);
ret = 0;
out:
return ret;
out_release_uncharge_unlock:
pte_unmap_unlock(dst_pte, ptl);
+ delete_from_page_cache(page);
out_release_uncharge:
mem_cgroup_cancel_charge(page, memcg, false);
out_release:
--- a/mm/userfaultfd.c
+++ b/mm/userfaultfd.c
@@ -34,6 +34,8 @@ static int mcopy_atomic_pte(struct mm_st
void *page_kaddr;
int ret;
struct page *page;
+ pgoff_t offset, max_off;
+ struct inode *inode;
if (!*pagep) {
ret = -ENOMEM;
@@ -74,8 +76,17 @@ static int mcopy_atomic_pte(struct mm_st
if (dst_vma->vm_flags & VM_WRITE)
_dst_pte = pte_mkwrite(pte_mkdirty(_dst_pte));
- ret = -EEXIST;
dst_pte = pte_offset_map_lock(dst_mm, dst_pmd, dst_addr, &ptl);
+ if (dst_vma->vm_file) {
+ /* the shmem MAP_PRIVATE case requires checking the i_size */
+ inode = dst_vma->vm_file->f_inode;
+ offset = linear_page_index(dst_vma, dst_addr);
+ max_off = DIV_ROUND_UP(i_size_read(inode), PAGE_SIZE);
+ ret = -EFAULT;
+ if (unlikely(offset >= max_off))
+ goto out_release_uncharge_unlock;
+ }
+ ret = -EEXIST;
if (!pte_none(*dst_pte))
goto out_release_uncharge_unlock;
@@ -109,11 +120,22 @@ static int mfill_zeropage_pte(struct mm_
pte_t _dst_pte, *dst_pte;
spinlock_t *ptl;
int ret;
+ pgoff_t offset, max_off;
+ struct inode *inode;
_dst_pte = pte_mkspecial(pfn_pte(my_zero_pfn(dst_addr),
dst_vma->vm_page_prot));
- ret = -EEXIST;
dst_pte = pte_offset_map_lock(dst_mm, dst_pmd, dst_addr, &ptl);
+ if (dst_vma->vm_file) {
+ /* the shmem MAP_PRIVATE case requires checking the i_size */
+ inode = dst_vma->vm_file->f_inode;
+ offset = linear_page_index(dst_vma, dst_addr);
+ max_off = DIV_ROUND_UP(i_size_read(inode), PAGE_SIZE);
+ ret = -EFAULT;
+ if (unlikely(offset >= max_off))
+ goto out_unlock;
+ }
+ ret = -EEXIST;
if (!pte_none(*dst_pte))
goto out_unlock;
set_pte_at(dst_mm, dst_addr, dst_pte, _dst_pte);
next prev parent reply other threads:[~2018-12-06 14:43 UTC|newest]
Thread overview: 61+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-12-06 14:38 [PATCH 4.14 00/55] 4.14.87-stable review Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.14 01/55] Kbuild: suppress packed-not-aligned warning for default setting only Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.14 02/55] disable stringop truncation warnings for now Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.14 03/55] test_hexdump: use memcpy instead of strncpy Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.14 04/55] kobject: Replace strncpy with memcpy Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.14 05/55] ALSA: intel_hdmi: Use strlcpy() instead of strncpy() Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.14 06/55] unifdef: use memcpy instead of strncpy Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.14 07/55] kernfs: Replace strncpy with memcpy Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.14 08/55] ip_tunnel: Fix name string concatenate in __ip_tunnel_create() Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.14 09/55] drm: gma500: fix logic error Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.14 10/55] scsi: bfa: convert to strlcpy/strlcat Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.14 11/55] staging: rts5208: fix gcc-8 logic error warning Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.14 12/55] kdb: use memmove instead of overlapping memcpy Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.14 13/55] iser: set sector for ambiguous mr status errors Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.14 14/55] uprobes: Fix handle_swbp() vs. unregister() + register() race once more Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.14 15/55] MIPS: ralink: Fix mt7620 nd_sd pinmux Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.14 16/55] mips: fix mips_get_syscall_arg o32 check Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.14 17/55] IB/mlx5: Avoid load failure due to unknown link width Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.14 18/55] drm/ast: Fix incorrect free on ioregs Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.14 19/55] drm: set is_master to 0 upon drm_new_set_master() failure Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.14 20/55] drm/meson: Enable fast_io in meson_dw_hdmi_regmap_config Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.14 21/55] drm/meson: Fix OOB memory accesses in meson_viu_set_osd_lut() Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.14 22/55] userfaultfd: use ENOENT instead of EFAULT if the atomic copy user fails Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.14 23/55] userfaultfd: shmem: allocate anonymous memory for MAP_PRIVATE shmem Greg Kroah-Hartman
2018-12-06 14:38 ` Greg Kroah-Hartman [this message]
2018-12-06 14:38 ` [PATCH 4.14 25/55] userfaultfd: shmem: UFFDIO_COPY: set the page dirty if VM_WRITE is not set Greg Kroah-Hartman
2018-12-06 14:39 ` [PATCH 4.14 26/55] scsi: scsi_devinfo: cleanly zero-pad devinfo strings Greg Kroah-Hartman
2018-12-06 14:39 ` [PATCH 4.14 27/55] userfaultfd: shmem/hugetlbfs: only allow to register VM_MAYWRITE vmas Greg Kroah-Hartman
2018-12-06 14:39 ` [PATCH 4.14 28/55] ALSA: trident: Suppress gcc string warning Greg Kroah-Hartman
2018-12-06 14:39 ` [PATCH 4.14 29/55] kgdboc: Fix restrict error Greg Kroah-Hartman
2018-12-06 14:39 ` [PATCH 4.14 30/55] kgdboc: Fix warning with module build Greg Kroah-Hartman
2018-12-06 14:39 ` [PATCH 4.14 31/55] svm: Add mutex_lock to protect apic_access_page_done on AMD systems Greg Kroah-Hartman
2018-12-06 14:39 ` [PATCH 4.14 32/55] drm/msm: fix OF child-node lookup Greg Kroah-Hartman
2018-12-06 14:39 ` [PATCH 4.14 33/55] Input: xpad - quirk all PDP Xbox One gamepads Greg Kroah-Hartman
2018-12-06 14:39 ` [PATCH 4.14 34/55] Input: synaptics - add PNP ID for ThinkPad P50 to SMBus Greg Kroah-Hartman
2018-12-06 14:39 ` [PATCH 4.14 35/55] Input: matrix_keypad - check for errors from of_get_named_gpio() Greg Kroah-Hartman
2018-12-06 14:39 ` [PATCH 4.14 36/55] Input: cros_ec_keyb - fix button/switch capability reports Greg Kroah-Hartman
2018-12-06 14:39 ` [PATCH 4.14 37/55] Input: elan_i2c - add ELAN0620 to the ACPI table Greg Kroah-Hartman
2018-12-06 14:39 ` [PATCH 4.14 38/55] Input: elan_i2c - add ACPI ID for Lenovo IdeaPad 330-15ARR Greg Kroah-Hartman
2018-12-06 14:39 ` [PATCH 4.14 39/55] Input: elan_i2c - add support for ELAN0621 touchpad Greg Kroah-Hartman
2018-12-06 14:39 ` [PATCH 4.14 40/55] btrfs: tree-checker: Dont check max block group size as current max chunk size limit is unreliable Greg Kroah-Hartman
2018-12-06 14:39 ` [PATCH 4.14 41/55] btrfs: Always try all copies when reading extent buffers Greg Kroah-Hartman
2018-12-06 14:39 ` [PATCH 4.14 42/55] ARC: change defconfig defaults to ARCv2 Greg Kroah-Hartman
2018-12-06 14:39 ` [PATCH 4.14 43/55] arc: [devboards] Add support of NFSv3 ACL Greg Kroah-Hartman
2018-12-06 14:39 ` [PATCH 4.14 44/55] udf: Allow mounting volumes with incorrect identification strings Greg Kroah-Hartman
2018-12-06 14:39 ` [PATCH 4.14 45/55] reset: make device_reset_optional() really optional Greg Kroah-Hartman
2018-12-06 14:39 ` [PATCH 4.14 46/55] reset: remove remaining WARN_ON() in <linux/reset.h> Greg Kroah-Hartman
2018-12-06 14:39 ` [PATCH 4.14 47/55] mm: cleancache: fix corruption on missed inode invalidation Greg Kroah-Hartman
2018-12-06 14:39 ` [PATCH 4.14 48/55] thermal/drivers/hisi: Remove the multiple sensors support Greg Kroah-Hartman
2018-12-06 14:39 ` [PATCH 4.14 49/55] thermal/drivers/hisi: Remove pointless lock Greg Kroah-Hartman
2018-12-06 14:39 ` [PATCH 4.14 50/55] thermal/drivers/hisi: Encapsulate register writes into helpers Greg Kroah-Hartman
2018-12-06 14:39 ` [PATCH 4.14 51/55] thermal/drivers/hisi: Fix configuration register setting Greg Kroah-Hartman
2018-12-06 14:39 ` [PATCH 4.14 52/55] thermal/drivers/hisi: Remove costly sensor inspection Greg Kroah-Hartman
2018-12-06 14:39 ` [PATCH 4.14 53/55] mm: hide incomplete nr_indirectly_reclaimable in /proc/zoneinfo Greg Kroah-Hartman
2018-12-06 14:39 ` [PATCH 4.14 54/55] net: qed: use correct strncpy() size Greg Kroah-Hartman
2018-12-06 14:39 ` [PATCH 4.14 55/55] tipc: use destination length for copy string Greg Kroah-Hartman
2018-12-06 20:12 ` [PATCH 4.14 00/55] 4.14.87-stable review kernelci.org bot
2018-12-06 22:09 ` shuah
2018-12-07 8:39 ` Naresh Kamboju
2018-12-07 9:33 ` Jon Hunter
2018-12-07 20:30 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181206143003.056725404@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=aarcange@redhat.com \
--cc=akpm@linux-foundation.org \
--cc=dgilbert@redhat.com \
--cc=hughd@google.com \
--cc=jannh@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mike.kravetz@oracle.com \
--cc=peterx@redhat.com \
--cc=rppt@linux.ibm.com \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox